CVE-2026-58492

getgrav · grav

The grav-plugin-database for Grav CMS is vulnerable to SQL injection via the PDO::tableExists method due to improper input sanitization.

Executive summary

A critical SQL injection vulnerability in the Grav CMS database plugin allows unauthorized attackers to execute arbitrary SQL commands against the backend database.

Vulnerability

The plugin fails to sanitize the table argument in the PDO::tableExists method before interpolating it into a raw SQL query. This allows an attacker to inject arbitrary SQL commands, resulting in unauthorized database interaction.

Business impact

Successful exploitation of this SQL injection vulnerability could lead to the complete exposure of sensitive site data, unauthorized modification of records, or potential administrative account takeover. With a CVSS score of 9.2, the vulnerability poses a high risk to the confidentiality and integrity of the CMS-managed data.

Remediation

Immediate Action: Update the grav-plugin-database to version 1.2.0 or later to resolve the SQL injection flaw.

Proactive Monitoring: Monitor database query logs for suspicious patterns, such as unexpected table enumeration or syntax errors indicative of SQL injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection detection capabilities to block malicious payloads targeting the database plugin.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the critical nature of SQL injection vulnerabilities, immediate application of the provided patch is essential. Organizations should update the plugin and perform a security audit of the database to ensure no unauthorized modifications have occurred prior to the update.